While solving a problem with Windows 7 machines not being able to ping the machines on the GREEN LAN of an Endian when connecting through OpenVPN, but XP machines could, I did a few upgrades, then went on to solve the problem.

Upgraded from ESX 3.5 to ESXi 4.1 (I needed this anyway because of Pass Through USB support)

Upgraded the community edition appliance from Endian 2.2 to Endian 2.4 (which has more configuration options, and better ways for reporting and logging)

Then I went on solving the issue, which I suspected was a kind of routing problem.The steps below are specifically for the Endian FireWall Community Edition version 2.4 (I’ll call this Endian 2.4 from now on) running on VMware ESXi 4.1.
Endian 2.2 on ESX 3.5 behaved differently: for XP, I didn’t need to add a VPN traffic firewall rule, nor a default route. For Windows 7, I couldn’t get it to work, and since I needed to upgrade both anyway, I did the upgrades first.

After an extensive search, the below two posts (follow the links to read more than just the quotes) got me into the right direction.

These were the steps I had to perform on Endian 2.4 to get PING to hosts on the GREEN LAN working through the OpenVPN:

Endian 2.4 configuration changes

Add VPN traffic firewal rule that allows ANY traffic.
Steps:

Logon to the web interface of your Endian 2.4 box

Click on the “Firewall” link in the dark grey main menu bar

Click on the “VPN traffic” link in the left submenu bar

If the state button is disabled (it then looks like ), then click on the button until it is enabled (it then looks like )

Click on the link “Add a new VPN firewall route”

For logging purposes, you can check the “Log all accepted packets”
(make sure you turn that off if your routing works!)

In my case (I wanted all OpenVPN users to be able to reach the green zone), I choose this configuration:

#

Source

Destination

Service

Policy

Remark

Actions

1

GREEN + OPENVPN

RED

GREEN + OPENVPN

ORANGE

IPSEC

Uplink main

<ANY>

Allow ANY for GREEN + OpenVPN to ANY

Legend

Enabled (click to disable)

Disabled (click to enable)

Edit

Remove

In the big green area that appeared on top, press the “Apply’ button

Examining the firwall logs is easy:

Logon to the web interface of your Endian 2.4 box

Click on the “Logs” link in the dark grey main menu bar

Click on the “Firewall” link in the left submenu bar

Watch the incoming ping requests coming :-)

Some people also need the Endian OpenVPN server to push the GREEN LAN as a route.
I didn’t need to to that, but in case you need, these are the steps to follow:

Logon to the web interface of your Endian 2.4 box

Click on the “VPN” link in the dark grey main menu bar

Click on the “Advanced” link in the light grey sub menu bar

In the “Global push options” section, make sure that next to “Push these networks”
– the “Enable” checkbox is checked
– the textbox contains a valid GREEN network and netmask using the CIDR notation (in my case it was “172.16.41.0/24”)

Press the “Save and restart” button in the “Global push options” section

ESXi 4.1 configuration change

Enable “Promiscuous Mode” for the vSwitch Port Group where the GREEN NIC of the Endian resides on.

In the ESXi configuration,
– Select your ESXi server in the tree view on the left
– Select the “Configuration” tab
– Find the “Virtual Switch” where the GREEN NIC of your Endian connects to
– Click on the “Properties” link for that Virtual Switch
– Select the “Virtual Machine Port Group”
– Click “Edit”
– Go to the “Security” tab
– Put a checkmark after the “Promiscuous Mode”, then set the value in the combobox to “Accept”
– Press the “OK” button in the “Virtual Machine Port Group” dialog
– Press the “Close” button in the “Virtual Switch” dialog

Why enable Promiscuous Mode?
A router or bridge does more with traffic than a normal NIC.
So the router needs to see more packets.Promiscuous mode enables that.

After knowing all this, it was easy to find someone else who did similar things:

[…] Enable Promiscuous mode on the vSwitch that is going to run the Windows MSM LSI management software. I had to do this once before when installing ENDIAN Firewall – Connected client can access EFW but no other hosts: enable promiscuous mode on V… 4.1: […]

Silnicsaid

GOD BLESS YOU !!!!! Meny meny meny thanks! Thank you so much for the info with promiscous mode on Esxi. It was so frustrating … i have tried meny thigs but … this … Iwoul d have never expected to be because of vmware. Thanks again !!!